Why Adversaries Target VPN Appliances: The Pathway from IT to OT Cyber Attack

Dragos observed widespread brute-force VPN login attempts across North American critical infrastructure sectors (electric, oil & gas, water/wastewater, manufacturing) targeting Cisco SSL-VPN, Fortinet VPN, and Palo Alto GlobalProtect appliances; attackers used VPS-based bulletproof hosting and a mix of valid, former, and random usernames, with the activity representing early-stage reconnaissance aimed at gaining IT access to later pivot into OT environments, and the report outlines reconnaissance, credential theft, lateral movement, potential OT impacts, and mitigation recommendations.